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Though the theory of quantum error correction is intimately related to the classical coding theory, 
in particular, one can construct quantum error correction codes (QECCs) from classical codes with 
the dual containing property, this does not necessarily imply that the computational complexity 
of decoding QECCs is the same as their classical counterparts. Instead, decoding QECCs can be 
very much different from decoding classical codes due to the degeneracy property. Intuitively, one 
expects degeneracy would simplify the decoding since two different errors might not and need not be 
distinguished in order to correct them. However, we show that general quantum decoding problem is 
NP-hard regardless of the quantum codes being degenerate or non-degenerate. This finding implies 
that no considerably fast decoding algorithm exists for the general quantum decoding problems, and 
suggests the existence of a quantum cryptosystem based on the hardness of decoding QECCs. 

PACS numbers: 03.67.Pp, 89.70.Eg 



I. INTRODUCTION 

The invention of quantum error correction codes 
(QECCs) [lH3| was one of the driving forces that boosted 
the fast-growing field of quantum information and com- 
putation. Great similarities shared between QECCs and 
classical codes were quickly discovered ever since, and the 
later contributed significantly to the development of the 
former. Particularly, a large portion of QECCs known 
so far is inspired or constructed directly from classical 
codes. These similarities then led to a common consen- 
sus that the general quantum decoding problem belongs 
to the same computational complexity class as its classi- 
cal counterpart. 

In complexity theory, computational intractability 
can be rigorously characterized by the concept of NP- 
hardness. Formally, the complexity class NP is defined 
as the class of all decision problems that can be solved 
by a nondeterministic Turing machine in a number of 
steps polynomial in the input length. A computational 
problem Pj is said to be NP-hard if it is as hard as the 
hardest problems in the class NP in the following sense: 
the existence of a polynomial-time algorithm for Pi im- 
plies the existence of a polynomial-time algorithm for all 
problems in NP. A computation problem is said to be 
NP-complete if it is NP-hard and in NP. The class of 
N P-hard problems includes a multitude of computational 
tasks believed to be intractable, such as many optimiza- 
tion or combinatorial problems. 

It was Berlekamp et al. [|| who first showed that gen- 
eral decoding problem for classical linear codes is NP- 
hard. This result assured that it is unlikely that a sub- 
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stantially fast algorithm for decoding the most likely clas- 
sical error would exist. Bruck and Naor [j| and Lob- 
stein Q then showed that the problem remains hard even 
if the code is known in advance, while Arora et al. Q 
showed that approximating the minimal-weight solution 
is also NP-hard. 

The similarity between QECCs and classical codes 
breaks down regarding the differences between how a 
classical error acts on a codeword and how a quantum 
error acts on a code space. A striking feature of QECCs 
is that they can sometimes be used to correct more er- 
rors than they can uniquely identify Q. The feature of 
degeneracy in QECCs thus calls for a completely differ- 
ent strategy for decoding quantum errors [9|, and gives 
us hope that there are chances that general quantum de- 
coding can be performed efficiently. However, in this pa- 
per, we will show that the problem of decoding the most 
probable quantum error is NP-hard regardless of QECCs 
being degenerate or non-degenerate. 

The classical McEliece cryptosystem [To} is considered 
as one of the best candidates for post-quantum public- 
key cryptosystem. Its security, which is based on the 
hardness of decoding general classical linear codes, has 
been shown recently to be also robust against quantum 
Fourier sampling attacks Our result, showing that it 
is unlikely that a substantially fast algorithm for decod- 
ing the most probable quantum error would exist, may 
become a foundation of a quantum analogue of the clas- 
sical McEliece cryptosystem. Notice that a proposal of 
such a quantum McEliece cryptosystem has been pro- 
posed recently [12 1. 

This paper is organized as follows. In Sec. HH we first 
introduce the stabilizer formalism of quantum error cor- 
rection codes, and its optimal decoding strategy. Then 
we relate the stabilizer formalism to the classical sym- 
plectic codes. We establish our main result - decoding 
general QECCs is NP-hard in Sec. Mil We conclude the 
paper in Sec. IIVI 
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II. QUANTUM ERROR CORRECTION CODES 

Denote the set of Pauli matrices by II = {J, X, Y, Z}, 
and define the following n-fold Pauli group Q n : 



Gn = {[A 1 



A 2 



•A^ : Ai £ IT, Vi} 



under the multiplication operation [A] [B] = [AB] where 
[A] = {aA : a £ C,\a\ — 1} for some operator A. An 
[[n, k]} QECC is a subspace C of size 2 fc in the Hilbert 
space C®". It can be specified as the +1 eigenspace 
of a set of commuting operators {Z\, ■ ■ ■ , Z n -k} C Q n 
that generates under multiplication the so-called stabi- 
lizer group S. 

The generating set of S can then be extended to a 
generating set of Q n : 

Qn = \Zi>Xj)l<i,j<ni (1) 

such that these operators satisfy the following relations: 



[Zi,Xj] 
{Zi,Xi} 



0,Vi. 



(2) 
(3) 
(4) 
(5) 



Operators that commute with each element in the sta- 
bilizer group S map the code space to itself, and form 
a group Z{S) 1 the normalizer of S in Q n . Denote by 
C = (Zi,Xj) n -k+\<i,j<ni an d by T = \Xi)\<i<n-k- Er- 
rors from C act nontrivially on the code space C but 
cannot be detected by the error syndrome. However, er- 
rors from T can be uniquely identified by measuring the 
stabilizer S. Specifically, the i th element s, of the error 
syndrome s £ (Z2)™ is equal to one if the error oper- 
ator E £ T anticommutes with the i th generator Zi of 
group <S, and is equal to zero otherwise. 

The definition of degeneracy depends on the error set 
£ which the QECC is designed to correct. If two errors 
Ei , E2 £ £ are related by some element in the stabilizer 
group P £ S 1 say E\ = E2P, these two errors cannot 
and need not be distinguished since they have the same 
effect on the code space C. We then call such a QECC 
degenerate. On the other hand, if each error in the error 
set leads to a distinct error syndrome, such a QECC is 
non-degenerate. 

For any given error syndrome s (corresponding to a 
unique operator T £ T in terms of the set of generators 
(HJ), the optimal decoding strategy is therefore to find an 
error E £ C such that X^sgs P T (SET) is maximum since 
it will minimize the overall probability of decoding error. 
Notice that the probability of an error A £ Q n , Pr(A), de- 
pends on the specific channel model used. If the QECC is 
non-degenerate, the optimal decoding strategy reduces to 
finding a most likely error E £ C: max£ £ £ Pi(ET). We 
call such decoding strategy "Quantum Maximum Like- 
lihood Decoding" (QMLD) due to its similarity to the 
maximally likelihood decoding in the classical setting. 



There is a one-to-one correspondence between an 
[[n, k]} stabilizer code C and a symplectic code C of size 
2 n+k in (Z2) 2 ™. We will mostly use the symplectic for- 
malism in the following since it is more convenient to 
work with vectors. 

Denote by a = (z\x) £ (Z2) 271 , where x = 
(x\, • • • , x n ) and z = (z\, ■ ■ • , z n ) are n-bit strings with 
Xi,Zi £ 1>2 = {0, 1}. There is a bijection N : a — > N a 
that maps every symplectic vector a. in (Z2) 2 ™ to an op- 



erator N a in Q n : 

N a ee [Z Z X X ] = [Z Z1 X X1 ] 



\Z Z -X X " 



where we write Z z = Z Zl ® • • • ® Z z ™ and likewise for 
X x . 

For two vectors a = (z\x) and f3 = (z'\x'), define the 
symplectic product : (Z 2 ) 2 " x (Z 2 ) 2 ™ -» Z 2 to be: 

a (3 — z ■ x' + x ■ z' , 

where ■ is the regular inner product between two vectors 
in (Z2) 11 , and + is a binary addition. The symplectic 
product between two vectors a. and (3 characterizes the 
commutation relation between two operators N a and N/3: 

N a N p = (-l) a ^N N a . 

Let S — {a\, • • • , a n _fc} be a collection of n — k inde- 
pendent symplectic vectors in (Z2) 2 ™ such that a,0ctj — 
Vz, j = {1, • ■ • , n — k}. We can construct the set of 
canonical basis vectors {a*, flj}i<i.j<n for (Z 2 ) 2 ™ such 
that fillll: 



OLi tXj = 

Pi® Pj = 

aiOPj = 

OLi Pi = 



0, Vi,j 

1, Vi. 



(6) 
(7) 
(8) 
(9) 



Let H be an (n — k) x 2n matrix where the i-th 
row vector of H is a,. Define the symplectic code 
C = {ui £ (Z 2 ) 2 ™ : H oj = 0}. It is easy to verify 
that C = span{ai,-- - ,cx n ,Pn-k+W" iPn}- Let C 1 - 
be the row space of H, i.e., C = span{ai, • • • , a„_fe}- 
Let L = span{a„_ fc+ i, • • • , a n , p n -k+u • ■ • ,Pn} and 
T = span{/3i,-- - ,/3„_fc}. We can then identify S, 
and T in Q n with C- 1 , L, and T in (Z2) 2 ™, respectively. 

Given an error syndrome s £ (Z2)™~ fc , let D s = {u> : 
H u) = s}. Each error vector 7 £ D s can be decom- 
posed into 7 = 71 + 72 + 73, where 71 £ C ± , 72 £ L, 
and 73 £ T. Furthermore, the symplectic vector 73 is 
uniquely defined by the error syndrome s: 



13 = ^2 s% $ 1 



(10) 



For any given error syndrome s, and the corresponding 
73 £ T, the optimal decoding strategy in the symplec- 
tic formalism is then to find a vector 72 £ L such that 
S-Yiec- 1 - Pr (7i + 72 + 73) is maximum. 



3 



III. MAIN RESULTS 

We assume that the QECC C is used on a Pauli chan- 
nel which generates the Z error and the X error indepen- 
dently with probability p (therefore the Y error occurs 
with probability p 2 ). Such an independency assumption 
has been widely used in analysis of quantum key distri- 
bution (QKD). For example, the authors in 15] apply 
CSS-type QECCs such that the bit error and the phase 
error can be independently corrected. 

Each error operator £ Q n generated by many uses 
of the quantum channel occurs with probability Pr('y): 



Pr( 7 ) =p wt ^ ) (l _ p )2«-wt(7) j 



(11) 



where we define the function wt(^) of a symplectic vector 
7 = (z\x) G (Z 2 ) 2n to be: 



wt(7) 



(12) 



Here, \a\ denotes the Hamming weight of a binary vector 
a in (Z 2 ) n . 

As discussed in SeclU given an error syndrome s rep- 
resenting an element 73 £ T, the optimal decoding strat- 
egy for non-degenerate QECCs is to find the most likely 
error, i.e., to find a vector 7 £ L that maximizes the 
quantity Pr(7 + 73). Since we assume p < 1/2, this is 
equivalent in our setting to finding a vector 7 £ L that 
minimizes wt(7 + 73), so we define the associated com- 
putational problem as follows. 

Quantum Maximum Likelihood Decoding (QMLD) 

Instance: A basis {a. l ,(3 j } of (Z 2 ) 2 ™ satisfying ©-© 
and a vector 73 G T. 

Output: A vector 76L that minimizes wt(7 + 73). 

This decoding strategy is optimal if the QECC is non- 
degenerate. However, as mentioned in H, it is not opti- 
mal if the QECC is degenerate. Notably, general quan- 
tum decoding deals with the error set £ = Q n that con- 
tains all possible errors, e.g., as resulted by the channel 
model considered here in this paper. In such case, the 
QECC is necessarily degenerate and the optimal quan- 
tum decoding in this case is to find the most likely set of 
errors that can be corrected by the same correction oper- 
ator. Given an error syndrome s representing an element 
73 G T, the optimal decoding strategy is then equivalent 
to finding the most likely coset 72 +73 + C in D a , since 
the operator N-y 2 +~f 3 can be used to correct every error 
N u , G 72 + 73 + C ± . Let us identify C/C 1 - with the 
set L defined above of symplectic vectors representing 
each coset of C in C . Our goal then becomes finding 

arg max } Pr(7i + 72 + 73) = 
72 e£ — ' 

■nec x 

argmax V p wt ( w > (1 _ p )2n-wt(u,) _ ^ 

^e72+T3+C- L 

Notice that the coset containing the most likely error may 
not be the most likely coset determined by Equation (TH 
The associated computational problem is as follows. 



Degenerate QMLD (DQMLD) 

Instance: A basis {a,-,/3j} of (Z 2 ) 2n satisfying ([5])-© 
and a vector 73 G T. 

Output: A symplectic vector 7 G L that maxi- 
mizes E^+^+c- (P wt(w) (l ~pf n ~^). 

We say that an algorithm solves the computational 
problem QMLD or DQMLD in polynomial time if its run- 
ning time is polynomial in n. The main result of this 
paper is the following theorem. 

Main Theorem The problems QMLD and DQMLD are 
both NP-hard. 

Our result formally proves that the existence of a poly- 
nomial time algorithm for optimal quantum decoding is 
extremely unlikely even in the degenerate case. 

Before giving a proof of our main theorem, we review 
the N P-completeness of classical decoding. In the classi- 
cal maximal likelihood decoding scenario, it is intuitively 
necessary for the receiver to search through the entire set 
of 2 fe solutions to Hn = s in order to find a solution with 
minimal weight. Berlekamp et al. formalized this intu- 
ition and showed that the following associated decision 
problem is NP-complete 

Classical Maximum-Likelihood Decoding (CMLD) 
Instance: An (n — k) x n matrix A over Z 2 , a target 
vector y G (Z 2 ) n_fc and an integer m > 0. 
Question: Is there a vector w G (Z 2 )" with \w\ < m 
such that Aw = yl 

Berlekamp et al. also showed that CMLD remains NP- 
complete if A is assumed to have full row-rank (i.e., A 
is a parity-check matrix). It is easy to see that CMLD 
also remains N P-complete even if A is assumed to be in 
standard form, i.e., of the form 



A = [I n - k P] 



(14) 



for some matrix P of size (n — k) x k. This is due to 
the fact that any linear code is permutation equivalent 
to a code which has a parity-check matrix in standard 
form, and to the fact that this transformation can be 
done in polynomial time and does not c hang e the weight 
distribution of the code (see for example 16( for a proof). 

Proof of the main theorem. — The standard way of 
proving the NP-hardness of a problem Pi is to prove 
a polynomial-time reduction from a NP-hard problem 
P 2 to the original problem Pi, i.e., to show that any 
polynomial-time algorithm for Pi can be used to solve in 
polynomial time the problem P 2 . 

Our strategy here is to show two polynomial-time re- 
ductions from the NP-complete problem CMLD: one from 
CMLD to QMLD and one from CMLD to DQMLD. Let 
(A,y,m) be any instance of the problem CMLD, where 
A is an (n — k) x n matrix over Z 2 of the form (|14p . 
y = (yi, . . . , yn-k) is a vector in (Z 2 ) n_fc , and m is a pos- 
itive integer. For convenience we denote by C\ C (Z 2 ) n 
the [n, k] code with parity check matrix A. We first 
show how to construct in polynomial time an instance 
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({ai,/3 3 -},73) of both problems QMLD and DQMLD em- 
bedding the information of (A, y, m), and then show how 
a solution to either QMLD or DQMLD can be used to 
compute in polynomial time the solution to the prob- 
lem CMLD. 

Let us define the vector z = (yi, . . . , y n -k,0, ■ ■ • , 0) G 
(Z 2 )" and fix 73 = (0\z) G (Z 2 ) 2 ™. We then define two 
families {c*i}i<i<n and {/3i}i<i< n of vectors in (Z 2 ) 2 " as 
follows. For each i G {1, . . . , n} the vector a.i is the i-th 
row of the matrix 



n—k 
< > 

In-k 





k 

P 

h 








X n — k 



For each i G {1, . . 
the matrix 



-<-)• 





< >• 

In-k 
P T 



k 
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J n - 



Notice that {aJi<K n and {fii}i<i< n satisfy ©-(H]). 
The reason why a, (3 n _k+£ = for i G {1, . . . , n — k} 
and I G {1, . . . , k} may be unclear. This is because 

a, Pn-k+t = [P T ]u + [P]u = 

since we are working over the binary field. The families 
{oti}\<i< n and {/3i}i<i< n define the following subsets 
of(Z 2 ) 2 ™: 

C 1 - = {(u\0) : Vw G Ci) , (15) 

C = {(u\v) : Vu G (Z 2 ) n , and V« G CJ , (16) 

r={(O|6i ) ...,6 B _fc,0,...,0):6i s ...,6 B _ fc 6Za}. (17) 

Observe that 73 G T and notice that 

7 3 + L= {(u\v) : Vm G i?,and ez + CJ, (18) 

where R is the subset of (Z 2 ) n defined as R — 
{(0, ...,0, ci,...,c fc ) : ci,...,c fc G Z 2 }. Moreover, for 
any u> G 73 + L written asw= ( M l' u ) with tt, v G (Z 2 ) n , 
we have 



wt(u> + /x) = |w| + wt(/u + (tt[0)) 



(19) 



for all peC 1 . 

The second step of the proof is specific to the prob- 
lem considered. Let us first consider the reduction from 
CMLD to QMLD, which is the simplest case. If we run an 
algorithm for QMLD on the instance ({ctj, j3j}, 73) just 
constructed, the output will be 

7 = argmin [wt(7 + 73)] ■ 
■yeL 

Let us write 7 = (u\v) and notice that necessarily u = 0. 
Then, using the fact that A is the parity check matrix of 
C\ and Az = y, we obtain: 

wt(7 + 7 3 ) = \v + z\ 

= mm vez+Cl [ \v\ } 
= min „ e( z 2 )" [ \v\ }. 

s. t. Av—y 



Let us now consider the reduction from CMLD to 
DQMLD. If we run an algorithm for DQMLD on the 
instance ({a*, f3j}, 73), the output will be 



7 



arg max 

■yeL 



WGT+T3+C 



Let us write 7 = (u\v) with u, v G (Z 2 ) n . Observe that, 
for any r = (ti|w) G 73 + L, Equality (|T9]) implies that 



,wt(M+T) / j _ p^ 2 ™- 



■wt(/j+r) 



= k u -A„ (20) 



1} the vector /3j is the i-th row of where 



\^ p wt(»+(u\0)) ^ _^2n-wt(/x+(u|0))_ &nd 



1-p 



Notice that Expression (|20|) reaches its maximum over 
73 + L for the value r = 7 + 73 = + z). Due to 
properties of the set 73 + L immediate from Equation 
(fT8| . it is easy to see that the term A„ also reaches its 
maximum for the value 7 + 73, i.e., 



Ai+z 



max [X v ] 
(u|u)e-)<3+£ 



Since the term At, is maximized for a vector v of minimal 
weight (because p < 1/2), we conclude that 

\v + z\ = min (uWe73+i [H] 
= mm vez+Cl [\ v \ } 
= min „ e ( Za )« [ \v\ }, 

s. t. Av—y 

where the second equality comes from Equation (|18|) . 

Then, for both QMLD and DQMLD, the obtained 
value v can be used to solve the original instance of 
CMLD in a straightforward way: there exists a vector 
w G (Z 2 ) n with \w\ < m such that Aw — y if and only if 
\v + z\ < m. To summarize, if there exists a polynomial- 
time algorithm solving either QMLD or DQMLD, it will 
of course work in polynomial-time for the instance con- 
structed above, and then solves in polynomial-time the 
problem CMLD. This shows that the problems QMLD 
and DQMLD are NP-hard, and completes the proof of 
our main theorem. 

Though the independency assumption of the bit er- 
rors and phase errors in our channel model leads to a 
great simplification (because all the probabilities involv- 
ing the degeneracy of the code can be factored out), we 
shall stress that the resulting decoding problem still cap- 
tures the quantumness in the sense that the degeneracy 
is preserved. Equivalently, such problem can be viewed 
as classical coset decoding, where the goal is to find a 
coset leader of a particular classical code, instead of sim- 
ply classical ML decoding. 
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IV. CONCLUSION 

In this paper, we rigorously formulated and proved 
that general quantum decoding is NP-hard. This set- 
tles the longstanding problem of classifying the computa- 
tional problem of the general quantum decoding regard- 
less of the QECCs being degenerate or non-degenerate. 
Our result also implies that classically finding a target 
coset representative is hard since QECCs are instances 
of classical coset codes. Finally, our result established 
the theoretic foundation of the development of a quan- 
tum McEliece cryptosystem. 

One interesting follow-up work is to investigate hard- 
ness with respect to the complexity class defined in terms 
of a model of quantum computation since quantum de- 
coding problems are genuine quantum information pro- 
cessing tasks. A first target may be the quantum com- 
plexity class QMA (see, e.g., [131)) which is often con- 
sidered as a natural quantum version of NP. One can 



indeed ask if the decoding problems considered in these 
papers are QMA- hard as well. Finally, even if the prob- 
lems QMLD and DQMLD are NP-hard, as shown in this 
paper, it would be desirable to develop algorithms for 
them: algorithms with subexponential time complexity, 
approximation algorithms, or algorithms working for spe- 
cial cases. 
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